Windows Defender Vulnerability Lets Malware Install Into System 32

Windows Defender, Microsoft’s built‑in antivirus, was shown to enable a malicious program to write directly to the protected System32 directory. In a live demo, the researcher ran a sample exploit called Redson.exe, which triggered Defender’s “threat found” alert, but the quarantine action opened a command prompt with full system privileges and allowed the file to be rewritten in System32 without administrative rights.

The exploit leverages the way Windows treats cloud‑synced files, particularly those flagged as OneDrive items. By masquerading as a cloud file, the malware convinces Defender to rewrite the original location, effectively bypassing the OS’s protection mechanisms. The author released three related projects, each exposing zero‑day flaws that Microsoft has not yet patched.

A striking comment from the demo highlights the paradox: “malware is more powerful because of Windows Defender detecting it.” The proof‑of‑concept demonstrates that a simple flag in the code can elevate a regular user process to system level, opening the door for rootkits or ransomware to embed themselves silently.

Given that Defender powers many corporate endpoints and the enterprise version serves as a primary EDR, the vulnerability poses a systemic risk. Organizations should monitor Microsoft’s response, apply any forthcoming patches promptly, and consider layered defenses beyond the native antivirus to mitigate similar privilege‑escalation attacks.